Topics In Demand
Notification
New

No notification found.

In the Era of phishing and its prevention
In the Era of phishing and its prevention

October 7, 2020

1254

0

In The Era of Phishing and Its Prevention

During this crisis “coronavirus pandemic” give those criminals a big opportunity to attract victims into taking their phishing lure. Phishing attacks are not new to the threat landscape, the first phishing email is thought to have originated around the year 1995. It has been an extremely common attack that has been used for many years, and its impacts and risk involved are well known to most Internet users. Criminals rely on deceit and create a necessary situation to achieve the target with their phishing campaigns. The huge amount of evidence that attackers collected about victims who shared phishing campaigns via their social networks.

 

 

What exactly phishing is?

It is a type of cyber attack that uses cover email as weapons. The main goal is to trick the recipient into believing that the content of the message has something that they need to solve immediately such as a request from their bank, add KYC in an account, Google pay attractive offers, SIM blocking/swapping, card blocking, etc and to click a malicious link or download an attachment which can lead to the installation of malware. It may freeze the system as part of a ransomware attack, or it may reveal sensitive information. It steals user data, including unauthorized login credentials and credit card numbers. It gives the desolating results. It also includes unauthorized purchase, stealing funds, transferring money, or identity theft.

Phishing techniques

Phishing can be done by using different techniques. Some techniques are:-

Spear-phishing

Spear phishing is aimed to steal sensitive information like account credentials and financial information from a particular victim. This can be achieved by gathering personal details on the victim such as their friends, hometown, DOB, employer, locations they frequent went, and what they have recently bought online. The attackers then hide as a trustworthy acquaintance or entity to acquire sensitive information, via email or other online messaging. It is the most common and successful form of collecting confidential information on the internet.

How does spear phishing work:-

The attacker target victims who share personal information on the internet. They might view individual profiles while scanning social networking. They will be able to find a person’s email address, friends list, geographic location, phone number, daily updates, and any posts about new gadgets that were recently bought. Through this information, the attacker would be able to pretend as a friend or a familiar acquaintance and send a convincing but fraudulent message to their target.

Those messages often contain urgent explanations of why they need sensitive information, downloading malware and malicious code. Victims are asked to open that attachment or link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes. An attacker might ask for usernames and passwords for various websites, such as Facebook so that they would be able to access shared information.

The attackers will use that password, or variations of it, to access different websites that have some sensitive information such as credit card details or Social Security Numbers. Once an attacker has gathered enough sensitive information, they can access bank accounts or even create a new identity using their victim’s information.

Vishing attack

Vishing is actually a combination of two words, voice and phishing. Vishing is a social engineering attack that attempts to trick victims into giving up sensitive information over the phone. In most cases, the attacker strategically manipulates human emotions, such as fear, sympathy, and greed to accomplish their goals.

Instead of an email, the attacker attacks a phone call – landline or mobile. The cybercriminals primarily utilize VoIP (voice over internet protocol “Global VoIP statistics”) technology to create spoofed phone numbers as well as phony caller ID’s to cover up their identity.

Both phishing and vishing attacks are highly effective; however, the vishing attack appears to be the preferred method of attack today.

The NSA reported recently in a COVID-19 article that a foreign country was allegedly trying  to acquire COVID-19 vaccination formulas. The foreign country denied the accusation. The NPR article did not specifically state if the attack was phishing or vishing, but the motivation would have been to compromise sensitive documents or data for financial gain.

A recent spear vishing attack, or targeted attack, against Twitter highlights the growing concern. The attacker was able to gain access by manipulating a Twitter employee into providing access to internal tools. With this access, the attacker was able to control thousands of prominent accounts such as Bill Gates, Joe Biden, and Beyonce.

Pharming

Pharming is a two-step process. First, attackers install malicious code on your computer or server. Second, the code sends you to a fake website. They tricked you in providing personal information. Computer pharming doesn’t require that initial click to take you to a fraudulent website. Instead, you’re redirected there automatically. The fraudster has immediate access to any personal information you enter on the site.

Do you get calls inquiring about the passwords of your bank accounts, insurance, credit cards and so forth?

You may be heard about jamtatra: India’s Phishing hub. For more information about jamtara phishing hub, go through this India today investigation.

Whaling

It is a form of spear phishing only aimed at the big fish – CEO or other high profile target. Many of these scams target company board members, who are considered particularly vulnerable. In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.

How to prevent phishing

  • Education
  • Itis a vital component of the phishing battle, as well as other online scams. People should beware of phishing scams and their techniques.
  • Follow up with security awareness training for staff.
  • Don’t reply to e-mails asking to confirm account information. Call or logon to the company’s web site to confirm that the e-mail is legitimate.
  • Don’t e-mail personal information. When submitting information via a web site, make sure the security lock is displayed in the browser.
  • Review credit card and bank account statements for suspicious activity and Report suspicious activity.
  • Don’t share your credit card details, cvv number, OTP, security number, pin code.
  • Two factor authentications
  • It is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications.
  • 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials.
  • Some preventive steps for vishing attack-
  • If you found unsolicited calls then don’t pick up the calls.
  • Use mobile apps to block unsolicited callers.
  • Disconnect immediately if the callers sounds suspicious.
  • Verify the caller’s identity; obtain name and organization web address.
  • Phishing prevention-
  • Always check the spelling of the URls in email links before you click or enter sensitive information.
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply.
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media.
  • Firewalls
  • Use email firewall that implement rules to block spam and phishing scams at the perimeter.
  • They not only block the spam, but also verify the IP numbers and web addresses of the e-mail source and compare them to known phishing sites.

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


Download Attachment

29775-phishing.pdf

Shivani Rai

© Copyright nasscom. All Rights Reserved.